A wildly popular Google Chrome extension was being used as a giant botnet

One of the most popular Chrome extensions is selling its users'
bandwidth, largely without their knowledge — and it can be used
by hackers to maliciously attack websites.

Hola is a VPN — a "virtual private network." As streaming
platforms like Netflix have risen in popularity, there has been a
corresponding boom in VPNs, which help users circumvent the
regional restrictions that forbid Americans from watching certain
BBC shows, or British people from watching some shows on Comedy
Central in the US.

One of the most popular of these is Hola. Unlike most VPNs, it's
free to download as an easy-to-use browser plugin in the Google
Chrome store. It currently has more than 6 million users.
CNN Money said, "Hola is changing the way we use the
internet" (we've
also written about it warmly).

To avoid the need for fees, Hola uses a peer-to-peer system,
routing users' traffic through other users' connections. A Brit
trying to watch an American-only service, for example, might be
routed through an American user's internet connection.

But it is also selling access to users' bandwidth for a profit,
via the service Luminati, Hola
discloses on a little-read FAQ page. Luminati lets
users buy access to the Hola network for a fee, for instance if
users need a secure way to route commercial traffic anonymously.
This revenue keeps Hola free for users. But in the wrong
hands this same function can transform its
networked users into an unwitting botnet.

Frederick Brennan found that out when Hola was used to attack his
website earlier this week.

Brennan, often known by the online moniker "Hotwheels," is the
administrator of 8chan, a countercultural online messageboard.
Earlier this week Brennan was targeted by thousands of
"legitimate-looking" posts, "prompting a 100x spike over peak
traffic," he wrote in a
blogpost.

The attack originated with a user called "Bui" (who has attacked
8chan before), who later told Brennan he had used Hola's Luminati
service to carry it out.

Hola's founder Ofer Vilenski confirmed to Business Insider that
Bui had "got through our screening process." he also said that
the attack had been ended and Bui banned from the network.

The peer-to-peer nature of the site also potentially puts users
at risk. On the anonymising Tor network, which works in a similar
way, users have to opt-in to become an "exit node" — a point at
which traffic can come and go, in and out of the network. But
everyone using Hola is an exit node. This implies that
if someone is using the plugin to conduct illegal activity
through your connection, law enforcement might suspect you're to
blame.

Brennan believes that the
company is "acting extremely irresponsibly," and wants to "help
users learn that others are using their internet connections
without their knowledge or express permission."

Hola's Vilenski told Business
Insider that there was nothing uniquely vulnerable about Hola's
VPN — the hacker "could have used any commercial VPN network, but
chose to do so with ours." Furthermore, the company has been
"listening to the conversations about Hola and while we think
we've been clear about what we are doing, we have decided to
provide more details about how this works, and thus the changes
[to the website] in the past 24 hours."